Both privilege escalation vulnerabilities are due to errors in the kernel’s handling of page caches stored in memory, allowing untrusted users to modify them. They target network caches and memory chunk management components. Specifically, CVE-2026-43284 attacks the esp4 and esp6() processes, and CVE-2026-43500 focuses on rxrpc. Last week’s CopyFail exploited faulty page caching in the AEAD authentication template process, which is used for IPsec extended sequence numbers. A 2022 vulnerability called Dirty Pipe also arose from flaws that allow attackers to overwrite page caches.
Researchers from the security company Automox wrote:
Dirty Frag belongs to the same family of errors as Dirty Pipe and Copy Fail, but targets the fragment core member sk_buff structure instead of buffer_pipe. The exploit uses splice() to place a reference to a read-only page cache page (e.g. /etc/password either /usr/bin/su) in it fragment slot on one side of the sender skb. The receiver-side kernel code then performs in-place cryptographic operations on that chunk, modifying the page cache in RAM. Each subsequent read of the file shows the corrupted version, even though the attacker only had read access.
CVE-2026-43284 is located in the esp_input() process in the IPsec ESP receive path. When an skb object is non-linear but lacks a list of chunks, the code skips skb_cow_data() and decrypts AEAD in place of the planted chunk. From there, an attacker can control the file offset and the 4-byte value of each store.
CVE-2026-43500, meanwhile, resides in rxkad_verify_packet_1(). The process decrypts RxRPC payloads using a single block process. Spliced pages become both source and destination. That, along with the decryption key being freely extracted via add_key (rxrpc), allows an attacker to rewrite the contents in memory.
Any of the exploits used separately are unreliable. Some Ubuntu configurations use AppArmor to prevent untrusted users from creating namespace content. This, in turn, neutralizes the ESP technique. Most other distributions by default do not run rxrpc.ko, which neutralizes the RxRPC arm. However, when chained together, the two exploits allow attackers to gain root on every major distribution Kim tested. Once the exploits are executed, attackers can use SSH access, web-shell execution, container escapes, or compromise low-privileged accounts.
“Dirty Frag is notable because it introduces multiple attack paths to the kernel involving rxrpc and esp/xfrm networking components to improve exploit reliability,” Microsoft researchers. wrote. “Rather than relying on narrow time windows or unstable corruption conditions often associated with Linux local privilege escalation vulnerabilities, Dirty Frag appears designed to increase consistency in vulnerable environments.”
Google-owned Wiz researchers saying Exploits will be less likely to emerge from hardened containerized environments, such as Kubernets, with default security configurations. “However, the risk remains significant for virtual machines or less constrained environments.”
The best response for anyone using Linux is to install patches immediately. While solutions will likely require a reboot, protection against a threat as serious as Dirty Frag outweighs the cost of outages. Anyone who is unable to install immediately should follow the mitigation steps set out in the posts linked above. Additional guidance can be found here.
